CSIS websites show signs of spam-style ‘Pharma Hack’

The agency at the heart of Canada’s security and intelligence network — and which investigates threats to cyber-security — appears to have had its own websites compromised by rogue online vendors of Viagra and other pharmaceuticals.

Searches conducted through major search engines Google, Bing and Yahoo! reveal that at least two CSIS sites are infected with so-called “pharma malware,” one of the most common spam-style attacks on the web. Searches for dozens of pages in French and English on CSIS’s employee-recruiting sites www.csiscareers.ca and www. carriereauscrs.ca reveal results with warnings “this site may be compromised”

Where they would normally display a short excerpt or description of the content on web pages, the search engines’ results for the infected CSIS pages read, among other things: “buy cheap viagra online without prescription”; “valtrex for cold sore prevention”; and “Tadalafil cialis brand lilly cheap 100mg generic with mastercard express shipping.” The messages appear to be hidden inside the page’s coding and are not visible when visitors open the actual CSIS pages.

Tahera Mufti, a media liaison at CSIS, said there was nothing to be concerned about. “For your information our website is fine, as you can see for yourself,” she said in an email to the National Post on Friday.

Still, one digital security consultant decried it as an “embarrassment” that the agency charged with securing intelligence secrets has evidently failed to secure its own websites against a rather simple method of infiltration. Although, he added, the CSIS human-resources websites in question are low-level and therefore likely to receive less attention from the agency’s IT-security staff. The infiltration does not appear to have affected CSIS’s main website, www.csis-scrs.gc.ca.

According to Google’s resources for webmasters, this kind of pharmacy hack uses what IT specialists call redirection malware. Spam-links for drugs such as Viagra, Cialis, Xanax and other staples of Internet schemes are “cloaked,” hidden from visitors viewing the websites (which is why those who click the search result find a CSIS page that appears normal), but the hacked content is visible to Google and other search engine robots. The content is unlikely to harm visitors’ computers, but it can also be used to bounce them over to the hackers’ websites or clutter up screens with pop-up ads. In a worst-case scenario, the method can be used to covertly infect visitors’ computers with malware, or malicious software that can secretly gather information from or otherwise compromise computers.

Robert Beggs, CEO of Digital Defence, a Burlington, Ont.-based company that provides information security services to corporate clients, believes the attack in question is almost certainly an automated one and unlikely to be specifically targeting CSIS. He said it appears to be an “SQL injection,” where a hacking program scours websites for forms meant for visitors to fill out. Instead of filling in requested information such as a name and address, the program then enters coded commands using the SQL database format. This allows hackers to interact with the database and replace content on affected web pages.

Mr. Beggs estimates some 70% of websites are poorly secured and vulnerable to such attacks, but he says it’s unusual for large companies and organizations with a dedicated IT staff not to be protected. “CSIS should not be vulnerable to SQL injection. It’s an embarrassment that the people responsible for the government’s secrets aren’t doing the most minor, easy-to-fix stuff for their own websites,” he said.

Mr. Beggs said the attack is also “indicative of a lack of a consistent security program.” He finds this troubling given that a number of easily available software security programs, both free and commercial, scan for and protect against this type of vulnerability.

While Mr. Beggs doubts that this particular attack has been used to steal information, he said CSIS needs to analyze what happened and why part of its processes seem to have failed.

“This is a symptom of the shoemaker’s children who don’t have proper shoes,” he said.